From owner-freebsd-security@freebsd.org Tue May 12 20:36:41 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CF2882DB5F5 for ; Tue, 12 May 2020 20:36:41 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49M8jP54jtz3xH3; Tue, 12 May 2020 20:36:41 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qt1-x831.google.com with SMTP id b1so11557753qtt.1; Tue, 12 May 2020 13:36:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=83jt+ztmwCtAirnrtdqfEkqEJ67TRwFjbaiD3UHj4Ik=; b=QpQBgEJTrqwQVCM7jdFu68X00G8lUj/bqp6/kjGqV+iIHN3ES4jD3JgzIX405D8A/B AyLUZYd50fvuBdf+ukB393xWWBQnaR1Npg0bf9tRKdfSZfcjrFcOOLxm4NruknNEcxEK CQTxNO+FxmRSbdhny0AWMMClGtH+IO58L2HWFZgpiLqhlgC1iRTw0PhUqyW0dSOJaqCo 1Z3EK2MmFiig6P5W1+GQYbsDlX+53JvVPYKHlwaVmjhUVtOJEIwgtAlv1kvTEGIMxbBp ASm4FZLohn9LMZWI93Rq93jH4CFArUUpXnyX3IV+kJwHnPe87Z7a+2tD/NB7sRMNpzFA LHgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=83jt+ztmwCtAirnrtdqfEkqEJ67TRwFjbaiD3UHj4Ik=; b=Kxxun+Dbn/oU4qqdNalno6kH9lXdaU6Sg1M0GWpbVxsOCXwFBWDi0d3yJD+TVw5aBc pHRBH5QYPaeBhkGF66Ub1QXoJguSdaP+b4KGRdWYvv0II9Hk6R18rKexfhfYMu4syGp9 OHZphth6VNRoF9F6uI/83LIpyOVPMRIQfagdYJaUmQTJL1+PPxkr7UjqY+1RWvQC1MDn rp2x9BzFcZDfTBDFC+dzjglAErxLrQIDOBuUH3c1zmQIDqQBmP6fdZfhY4mRse3LPCbq FQfD0hWOUfl/1t9tsEXjmjccVqmrf7HM3B75Iw4bW02C9D+wA00Lt9/20TcQFbc5skTI 66pA== X-Gm-Message-State: AGi0PuYKnIjd2yv5cqGkPl3+GZCiIHSDOmkEXuMbr8xeMWgd8I9ARNlm 4XA3NSvJQ+YWz6Zzf9HsjttIXcY7 X-Google-Smtp-Source: APiQypIs4zwXumwHZS6n0hDXIO3zuGXaehkJOctrQlkWXOYvivEdI3fTBj/dXCqW1X3RP8Ez5lLAHA== X-Received: by 2002:ac8:70c:: with SMTP id g12mr23216485qth.71.1589315800299; Tue, 12 May 2020 13:36:40 -0700 (PDT) Received: from raichu (toroon0560w-lp130-15-184-144-87-103.dsl.bell.ca. [184.144.87.103]) by smtp.gmail.com with ESMTPSA id v28sm10483744qtb.49.2020.05.12.13.36.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2020 13:36:39 -0700 (PDT) Sender: Mark Johnston Date: Tue, 12 May 2020 16:36:35 -0400 From: Mark Johnston To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:13.libalias Message-ID: <20200512203635.GA22386@raichu> References: <20200512194431.2A72735A6@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200512194431.2A72735A6@freefall.freebsd.org> X-Rspamd-Queue-Id: 49M8jP54jtz3xH3 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 May 2020 20:36:41 -0000 On Tue, May 12, 2020 at 07:44:31PM +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-20:13.libalias Security Advisory > The FreeBSD Project > > Topic: Memory disclosure vulnerability in libalias > > Category: core > Module: libalias > Announced: 2020-05-12 > Credits: Vishnu Dev TJ working with Trend Micro Zero Day Initiative > Affects: All supported versions of FreeBSD > Corrected: 2020-05-12 16:52:08 UTC (stable/12, 12.1-STABLE) > 2020-05-12 16:54:39 UTC (releng/12.1, 12.1-RELEASE-p5) > 2020-05-12 16:52:08 UTC (stable/11, 11.4-STABLE) > 2020-05-12 16:54:39 UTC (releng/11.4, 11.4-BETA1-p1) > 2020-05-12 16:54:39 UTC (releng/11.3, 11.3-RELEASE-p9) > CVE Name: CVE-2020-7455 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The ipfw(4) system facility allows IP packet filtering, redirecting, and > traffic accounting. The ipfw(4) packet filter also contains two different > methods of accomplishing network address translation (NAT): in-kernel and > userspace. Both implementations use the same functions provided by libalias. > > The libalias(3) library is a collection of functions for aliasing and > dealiasing of IP packets, intended for masquerading and NAT. Additionally, > libalias(3) includes modules to support protocols that require additional > logic to support address translation. > > Note: libalias(3) is not used by either the pf(4) or ipf(4) firewalls. > > II. Problem Description > > The FTP packet handler in libalias incorrectly calculates some packet > lengths. This may result in disclosing small amounts of memory from the > kernel (for the in-kernel NAT implementation) or from the process space for > natd (for the userspace implementation). > > III. Impact > > A malicious attacker could send specially constructed packets that exploit the > erroneous calculation allowing the attacker to disclose small amount of memory > either from the kernel (for the in-kernel NAT implementation) or from the > process space for natd (for the userspace implementation). > > IV. Workaround > > No workaround is available. Only systems using NAT and ipfw together are > affected. Systems using ipfw without NAT, or systems leveraging pf(4) or > ipf(4) are not affected. This is not correct. For kernel NAT to be affected, alias_ftp.ko has to be loaded. natd is vulnerable because libalias_ftp.so is loaded by the default /etc/libalias.conf. The workaround in both cases is to make sure that the alias_ftp module is not used.